GDPR EU Representative
Amongst the current whirlwind of Brexit-related stuff – international data transfers, adequacy decisions and possible UK data regime divergence – it would be easy to overlook the GDPR requirements regarding appointing an EU representative.
As of 1st January 2021 organisations in the UK, like others based outside the European Economic Area (EEA), may fall under this obligation. Conversely, organisations based outside the UK may fall under a requirement to have a UK representative.
Do you need an EU representative?
If you’re based in the UK and;
- offer goods and services to individuals in the EEA
- monitor individual’s behaviour
- you don’t have a branch, office or establishment in an EEA state
You’ll need to appoint an EU Representative.
What constitutes ‘Offering Goods and Services’?
The European Data Protection Board (EDPB) guidelines on GDPR territorial scope provides helpful pointers on whether you would be considered as ‘offering goods and services’ to EU citizens.
Just because your website might be accessible to EU citizens isn’t enough to warrant the necessity of having an EU Representative. It needs to be ‘apparent or envisaged’ your products and services are being offered to individuals in one or more EU member states.
Let’s take a look at what that means. Does your organisation;
- describe products and services in the language of an EU member state?
- offer prices in Euros?
- actively run marketing and advertising campaigns targeting an EU country audience?
- mention dedicated contact details to be reached from an EU country?
- use any top-level domain names, such as .de or .eu?
- describe travel instructions from one or more EU member state to where your service is provided?
- mention clients/customers based in one or more EU states?
- offer to deliver goods to EU member states?
Answering ‘Yes’ to one or more of the above means it’s likely you fall under the requirements of GDPR Article 27 to appoint an EU Rep.
You will not need to appoint a representative if you are;
- a public authority
- your processing is only occasional, is of low risk to the data protection rights of individuals, and does not involve the large-scale use of special category or criminal offence data.
For example, here at the DPN we don’t need to appoint an EU Representative. Our website is clearly accessible to EU citizens, people can sign up for our newsletter or webinars from anywhere in the world, and we may do some consultancy work for an EU-based company. However, we are a small business and our answer to all the above questions is NO.
However, if you are actively targeting marketing or advertising campaigns at EU citizens, you are likely to fall under the requirement.
What an EU Representative does
You’ve established you need an EU Representative? You need to know what their responsibilities are before finding a company to provide this service.
Your EU representative has the following core responsibilities:
- co-operating with the EU supervisory authorities on your behalf
- facilitating communications between EU citizens and your organisation
- being accessible to individuals in all relevant member states (i.e. clearly mentioned in your privacy notice as the contact for EU citizens)
- supporting you to manage your Record of Processing Activities (RoPA) in accordance with Article 30 of the GDPR.
A number of professional services have sprung up offering to be representatives, with Ireland proving a particularly popular location, not least because there are no language issues for UK companies.
However, you should be mindful you need to pick a relevant country, if your clients/customers are primarily Italian, your representative should be based in Italy.
What about UK Representatives?
Under UK GDPR (which will sit alongside an amended version of the UK DPA 2018) there will also be an obligation on organisations based outside the UK to appoint a UK representative if they have no office, branch, establishment in the UK and they;
- offer good and services to UK citizens
- monitor the behaviour of UK citizens
Again, if your processing of UK citizen’s data is occasional, is of low risk to the data protection rights of individuals, and does not involve the large-scale use of special category or criminal offence data, the requirement for a UK Rep will not apply.
Finally, if you haven’t done so already any UK organisation needs to update their policies and privacy notices to reflect that the UK will be outside the EU. You may also need to just double check any DPIAs and other assessments regarding international data transfers.
On a recent ICO Brexit webinar someone asked whether policies and notices need to be updated by 1st January 2021. The response was organisations should make efforts to make sure documentation is revised but, as always, the regulator would take a ‘proportionate and reasonable’ approach.
I think it’s fair to say there’s a little breathing space, but we recommend businesses do this sooner rather than later.
Philippa Donn, December 2020
If you are based outside the UK, we offer a UK Representative Service. Get in touch if you’d like more information and to chat with one of the team.
Also see the ICO’s Guidance on EU Representatives
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.